intrusion detection system [ snort]
DESCRIPTION
Intrusion Detection System [ Snort]. POSTECH CSE High Performance Computing Laboratory. Intrusion and Intrusion Detection. Intrusion : Attempting to break into or misuse your system. Intruders may be from outside the network or legitimate users of the network. - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: Intrusion Detection System [ Snort]](https://reader035.vdocuments.us/reader035/viewer/2022062722/56813a51550346895da24763/html5/thumbnails/1.jpg)
1
Intrusion Detection System [Snort]
POSTECH CSEHigh Performance Computing Laboratory
![Page 2: Intrusion Detection System [ Snort]](https://reader035.vdocuments.us/reader035/viewer/2022062722/56813a51550346895da24763/html5/thumbnails/2.jpg)
2
Intrusion and Intrusion Detection Intrusion : Attempting to break into or
misuse your system. Intruders may be from outside the
network or legitimate users of the network.
Intrusion can be a physical, system or remote intrusion.
![Page 3: Intrusion Detection System [ Snort]](https://reader035.vdocuments.us/reader035/viewer/2022062722/56813a51550346895da24763/html5/thumbnails/3.jpg)
3
Different ways to intrude
Buffer overflows Unexpected combinations Unhandled input Race conditions
![Page 4: Intrusion Detection System [ Snort]](https://reader035.vdocuments.us/reader035/viewer/2022062722/56813a51550346895da24763/html5/thumbnails/4.jpg)
4
Intrusion Detection Systems (IDS) Intrusion Detection Systems look for
attack signatures, which are specific patterns that usually indicate malicious or suspicious intent.
Different ways of classifying an IDSIDS based on anomaly detection signature based misuse host based network based
![Page 5: Intrusion Detection System [ Snort]](https://reader035.vdocuments.us/reader035/viewer/2022062722/56813a51550346895da24763/html5/thumbnails/5.jpg)
5
Anomaly based IDS
This IDS models the normal usage of the network as a noise characterization.
Anything distinct from the noise is assumed to be an intrusion activity. E.g flooding a host with lots of packet.
The primary strength is its ability to recognize novel attacks.
![Page 6: Intrusion Detection System [ Snort]](https://reader035.vdocuments.us/reader035/viewer/2022062722/56813a51550346895da24763/html5/thumbnails/6.jpg)
6
Drawbacks of Anomaly detection IDS Assumes that intrusions will be accompanied
by manifestations that are sufficiently unusual so as to permit detection.
These generate many false alarms and hence compromise the effectiveness of the IDS.
![Page 7: Intrusion Detection System [ Snort]](https://reader035.vdocuments.us/reader035/viewer/2022062722/56813a51550346895da24763/html5/thumbnails/7.jpg)
7
Signature based IDS
This IDS possess an attacked description that can be matched to sensed attack manifestations.
The question of what information is relevant to an IDS depends upon what it is trying to detect. E.g DNS, FTP etc.
![Page 8: Intrusion Detection System [ Snort]](https://reader035.vdocuments.us/reader035/viewer/2022062722/56813a51550346895da24763/html5/thumbnails/8.jpg)
8
Signature based IDS (contd.)
ID system is programmed to interpret a certain series of packets, or a certain piece of data contained in those packets,as an attack. For example, an IDS that watches web servers might be programmed to look for the string “phf” as an indicator of a CGI program attack.
Most signature analysis systems are based off of simple pattern matching algorithms. In most cases, the IDS simply looks for a sub string within a stream of data carried by network packets. When it finds this sub string (for example, the ``phf'' in ``GET /cgi-bin/phf?''), it identifies those network packets as vehicles of an attack.
![Page 9: Intrusion Detection System [ Snort]](https://reader035.vdocuments.us/reader035/viewer/2022062722/56813a51550346895da24763/html5/thumbnails/9.jpg)
9
Drawbacks of Signature based IDS They are unable to detect novel attacks. Suffer from false alarms Have to programmed again for every
new pattern to be detected.
![Page 10: Intrusion Detection System [ Snort]](https://reader035.vdocuments.us/reader035/viewer/2022062722/56813a51550346895da24763/html5/thumbnails/10.jpg)
10
Host/Applications based IDS
The host operating system or the application logs in the audit information.
These audit information includes events like the use of identification and authentication mechanisms (logins etc.) , file opens and program executions, admin activities etc.
This audit is then analyzed to detect trails of intrusion.
![Page 11: Intrusion Detection System [ Snort]](https://reader035.vdocuments.us/reader035/viewer/2022062722/56813a51550346895da24763/html5/thumbnails/11.jpg)
11
Drawbacks of the host based IDS The kind of information needed to be
logged in is a matter of experience. Unselective logging of messages may
greatly increase the audit and analysis burdens.
Selective logging runs the risk that attack manifestations could be missed.
![Page 12: Intrusion Detection System [ Snort]](https://reader035.vdocuments.us/reader035/viewer/2022062722/56813a51550346895da24763/html5/thumbnails/12.jpg)
12
Strengths of the host based IDS Attack verification System specific activity Encrypted and switch environments Monitoring key components Near Real-Time detection and response. No additional hardware
![Page 13: Intrusion Detection System [ Snort]](https://reader035.vdocuments.us/reader035/viewer/2022062722/56813a51550346895da24763/html5/thumbnails/13.jpg)
13
Stack based IDS
They are integrated closely with the TCP/IP stack, allowing packets to be watched as they traverse their way up the OSI layers.
This allows the IDS to pull the packets from the stack before the OS or the application have a chance to process the packets.
![Page 14: Intrusion Detection System [ Snort]](https://reader035.vdocuments.us/reader035/viewer/2022062722/56813a51550346895da24763/html5/thumbnails/14.jpg)
14
Network based IDS
This IDS looks for attack signatures in network traffic via a promiscuous interface.
A filter is usually applied to determine which traffic will be discarded or passed on to an attack recognition module. This helps to filter out known un-malicious traffic.
![Page 15: Intrusion Detection System [ Snort]](https://reader035.vdocuments.us/reader035/viewer/2022062722/56813a51550346895da24763/html5/thumbnails/15.jpg)
15
Strengths of Network based IDS Cost of ownership reduced Packet analysis Evidence removal Real time detection and response Malicious intent detection Complement and verification Operating system independence
![Page 16: Intrusion Detection System [ Snort]](https://reader035.vdocuments.us/reader035/viewer/2022062722/56813a51550346895da24763/html5/thumbnails/16.jpg)
16
IDS Deployment
Host Base IDS
Network Base IDS
![Page 17: Intrusion Detection System [ Snort]](https://reader035.vdocuments.us/reader035/viewer/2022062722/56813a51550346895da24763/html5/thumbnails/17.jpg)
17
What is Snort? Snort is a multi-mode packet analysis tool
Sniffer Packet Logger Forensic Data Analysis tool Network Intrusion Detection System
Snort metric Small (~800k source download) Portable (Linux, Windows, MacOS X, Solaris, BSD, IRIX, Tru64,
HP-UX, etc) Fast (High probability of detection for a given attack on 100Mbps
networks) Configurable (Easy rules language, many reporting/logging
options Free (GPL/Open Source Software)
![Page 18: Intrusion Detection System [ Snort]](https://reader035.vdocuments.us/reader035/viewer/2022062722/56813a51550346895da24763/html5/thumbnails/18.jpg)
18
Snort Design
Packet sniffing “lightweight” network intrusion detection system
Libpcap-based sniffing interface
Rules-based detection engine
Plug-in system allows endless flexibility
![Page 19: Intrusion Detection System [ Snort]](https://reader035.vdocuments.us/reader035/viewer/2022062722/56813a51550346895da24763/html5/thumbnails/19.jpg)
19
Detection Engine
Rules form “signatures”
Modular detection elements are combined to form these signatures
Wide range of detection capabilities Stealth scans, OS fingerprinting, buffer
overflows, back doors, CGI exploits, etc.
Rules system is very flexible, and creation of new rules is relatively simple
![Page 20: Intrusion Detection System [ Snort]](https://reader035.vdocuments.us/reader035/viewer/2022062722/56813a51550346895da24763/html5/thumbnails/20.jpg)
20
Plug-Ins
Preprocessor Packets are examined/manipulated before being
handed to the detection engine
Detection Perform single, simple tests on a single
aspect/field of the packet
Output Report results from the other plug-ins
![Page 21: Intrusion Detection System [ Snort]](https://reader035.vdocuments.us/reader035/viewer/2022062722/56813a51550346895da24763/html5/thumbnails/21.jpg)
21
Snort Rules
Snort rules are extremely flexible and are easy to modify, unlike many commercial NIDS
Sample rule to detect SubSeven trojan:
alert tcp $EXTERNAL_NET 27374 -> $HOME_NET any (msg:"BACKDOOR subseven 22"; flags: A+; content: "|0d0a5b52504c5d3030320d0a|"; reference:arachnids,485; reference:url,www.hackfix.org/subseven/; sid:103; classtype:misc-activity; rev:4;)
Elements before parentheses comprise ‘rule header’
Elements in parentheses are ‘rule options’
![Page 22: Intrusion Detection System [ Snort]](https://reader035.vdocuments.us/reader035/viewer/2022062722/56813a51550346895da24763/html5/thumbnails/22.jpg)
22
Snort Rules
alert tcp $EXTERNAL_NET 27374 -> $HOME_NET any (msg:"BACKDOOR subseven 22"; flags: A+; content: "|0d0a5b52504c5d3030320d0a|"; reference:arachnids,485; reference:url,www.hackfix.org/subseven/; sid:103; classtype:misc-activity; rev:4;)
alert action to take; also log, pass, activate, dynamic tcp protocol; also udp, icmp, ip $EXTERNAL_NET source address; this is a variable – specific IP
is ok 27374 source port; also any, negation (!21), range (1:1024) -> direction; best not to change this, although <> is allowed $HOME_NET destination address; this is also a variable here any destination port
![Page 23: Intrusion Detection System [ Snort]](https://reader035.vdocuments.us/reader035/viewer/2022062722/56813a51550346895da24763/html5/thumbnails/23.jpg)
23
Snort Rules
alert tcp $EXTERNAL_NET 27374 -> $HOME_NET any (msg:"BACKDOOR subseven 22"; flags: A+; content: "|0d0a5b52504c5d3030320d0a|"; reference:arachnids,485; reference:url,www.hackfix.org/subseven/; sid:103; classtype:misc-activity; rev:4;)
msg:”BACKDOOR subseven 22”; message to appear in logs flags: A+; tcp flags; many options, like SA, SA+, !R, SF* content: “|0d0…0a|”; binary data to check in packet; content
without | (pipe) characters do simple content matches reference…; where to go to look for background on this rule sid:103; rule identifier classtype: misc-activity; rule type; many others rev:4; rule revision number other rule options possible, like offset, depth, nocase
![Page 24: Intrusion Detection System [ Snort]](https://reader035.vdocuments.us/reader035/viewer/2022062722/56813a51550346895da24763/html5/thumbnails/24.jpg)
24
Snort Rules bad-traffic.rules exploit.rules scan.rules finger.rules ftp.rules telnet.rules smtp.rules rpc.rules rservices.rules dos.rules ddos.rules dns.rules tftp.rules web-cgi.rules web-coldfusion.rules web-frontpage.rule web-iis.rules web-misc.rules web-attacks.rules sql.rules x11.rules icmp.rules netbios.rules misc.rules backdoor.rules shellcode.rules policy.rules porn.rules info.rules icmp-info.rules virus.rules local.rules attack-responses.rules
Etc…Total 48 Rules
![Page 25: Intrusion Detection System [ Snort]](https://reader035.vdocuments.us/reader035/viewer/2022062722/56813a51550346895da24763/html5/thumbnails/25.jpg)
25
IDSCenter IDSCenter is a front-end for Snort intrusion detection
systems. Features:
Snort 2.0, 1.9, 1.8, and 1.7 support Snort service mode support Snort configuration wizard Online update of IDS rules Ruleset editor HTML report from SQL backend Alert notification via e-mail, alarm sound or only visual
notification AutoBlock plugins Monitoring Logging Integrated log viewer Program execution possible if an attack was detected
![Page 26: Intrusion Detection System [ Snort]](https://reader035.vdocuments.us/reader035/viewer/2022062722/56813a51550346895da24763/html5/thumbnails/26.jpg)
26
IDSCenter Screenshots
![Page 27: Intrusion Detection System [ Snort]](https://reader035.vdocuments.us/reader035/viewer/2022062722/56813a51550346895da24763/html5/thumbnails/27.jpg)
27
Exercise 1: Run Nmap Nmap
A free open source utility for network exploration or security auditing
Designed to rapidly scan large networks or hosts Used to know
• what hosts are available on the network, • what services (application name and version) those hosts are
offering, • what operating systems (and OS versions) they are running,• what type of packet filters/firewalls are in use, and • dozens of other characteristics
http://www.insecure.org/nmap/nmap_download.html
Install Nmap and run it. File to download : nmapwin_1.3.1.exe
![Page 28: Intrusion Detection System [ Snort]](https://reader035.vdocuments.us/reader035/viewer/2022062722/56813a51550346895da24763/html5/thumbnails/28.jpg)
28
Exercise 2: Scan a host NULL scan a host 141.223.14.148 from port 10 to
100
![Page 29: Intrusion Detection System [ Snort]](https://reader035.vdocuments.us/reader035/viewer/2022062722/56813a51550346895da24763/html5/thumbnails/29.jpg)
29
Exercise 3: Install IDSCenter
Install Snort : http://www.snort.org File to download : snort-2_1_3.exe
Install IDSCenter : http://www.engagesecurity.com/products/
idscenter/ File to download : idscenter11rc4.zip
Run IDSCenter.
![Page 30: Intrusion Detection System [ Snort]](https://reader035.vdocuments.us/reader035/viewer/2022062722/56813a51550346895da24763/html5/thumbnails/30.jpg)
30
Exercise 4: Detect Intrusions
Detect Nmap NULL scan.
Detect Nmap FIN scan. Add a rule to detect TCP FIN scan.